[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Password expiration/aging?
Hi,
I am doing some experimenting with password expiration and found that
not much is working in Heimdal.
- When I set the password expiration time by hand to a time before now
kadmin> mod --pw-expiration-time=2006-08-16 vanilla
kadmin> list -l vanilla
Principal: vanilla@SLAC.STANFORD.EDU
Principal expires: never
Password expires: 2006-08-16 23:59:59 UTC
[...]
I cannot get a TGT - which is good - but I also cannot change the
password:
% kinit vanilla
vanilla@SLAC.STANFORD.EDU's Password:
kinit: krb5_get_init_creds: Password has expired
% password vanilla
vanilla@SLAC.STANFORD.EDU's Password:
password: krb5_get_init_creds: Password has expired
Should I not be able to change the password in this situation?
What's even worse is that if I do a kinit with a _wrong_ password,
I still get a "Password has expired" message which leaks information
about our accounts out to just about anybody.
- Another thing I tried is to set the "requires-pw-change" attribute
of an account
kadmin> mod --attributes=requires-pw-change vanilla
But the KDC does not even store this attribute change. A
"kadmin list -l vanilla" shows an empty "Attributes" list.
So, is there anything in Heimdal that makes password expiration/aging
possible?
Many thanks,
Alf.
-----------------------------------------------------------------------
Alf Wachsmann | e-mail: alfw@slac.stanford.edu
SLAC - Scientific Computing | Phone: +1-650-926-4802
2575 Sand Hill Road, M/S 97 | FAX: +1-650-926-3329
Menlo Park, CA 94025, USA | Office: Bldg. 50/323
-----------------------------------------------------------------------
http://www.slac.stanford.edu/~alfw (PGP)
-----------------------------------------------------------------------